Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: What can we learn from the HSE attack? When is 2FA worth Sweet FA? Why wouldn’t cyber attackers be too worried about 30 countries working together to tackle the scourge of ransomware?
This week’s action: Check for updates.
>>>>> THREE ARTICLES <<<<<
1: What we can learn from the ransomware attack on Ireland’s health system
Ireland’s National Cyber Security Centre has produced an alert showing how an organisation can protect itself from the type of Conti ransomware attack that crippled Ireland’s health system earlier this year, including:
- User Training: “A training program and periodic campaigns should be utilised to raise cyber security awareness.”
- Accounts: “[E]mploy a policy of least permission. Only those who need access to a system should have access and the permissions that users have should be just sufficient to carry out their work.”
- Multi-Factor Authentication (MFA): “Multi-Factor Authentication should be enforced on all user accounts as well as Remote Desktop Protocol (RDP) accounts.”
- Backups: “Encrypted offsite backups are critical to any recovery from ransomware. Recovery of these backups should be tested regularly [..] [C]onsider the use of Immutable/WORM blobs as a backup option. [..] Immutable or Write Once Read Many storage is unchangeable once written and cannot be deleted or altered in any way. This provides an excellent mitigation [..], as it stops the attacker from rendering the system unrecoverable.”
It’s a short document (three pages). It’s a recommended read for anyone responsible for securing their business.
I’ll certainly be investigating how WORM (Write Once, Read Many) storage has developed since the days of CD-ROMs.
2: What we can learn from NIST’s recommendations to defend against ransomware
NIST recently released a Ransomware Profile “to help organizations identify and prioritize opportunities for improving their security and resilience against ransomware attacks.”
There’s plenty of very specific do’s and don’ts in here, but there is one I’d like to mention: “Allow only authorized applications—including establishing processes for reviewing, adding or removing authorized applications—on an allowlist.”
If you work in a large organisation, this won’t be news to you. But in my experience, smaller organisations are not as strict about which applications and executables are allowed to run on their PCs and laptops. This makes it easier for ransomware and other malware to run on a device. For those who have tried to restrict the list of allowed / whitelisted applications, many frequently give up due to the effort involved and the inconvenience it causes.
If you haven’t adopted an allowlist, there are technologies out there that can help you. Microsoft’s AppLocker gives some basic defence, but these can be circumvented. From the little I have seen of ThreatLocker, it looks far more powerful and is worth a look.
3: When 2FA is worth Sweet FA
6,000 customers of Coinbase, the second-largest cryptocurrency exchange in the world, “had funds stolen from their accounts after hackers used a vulnerability in Coinbase’s SMS-based two-factor authentication system to breach accounts.”
“Coinbase said the attackers could exploit this bug only if they knew the victim’s username and password.”
To paraphrase, CoinBase said their 2FA system was as useful as a plastic fork at a gunfight.
All customers will be reimbursed by Coinbase for their losses.
>>>>> TWO STATISTICS <<<<<
The US administration will work with 30 countries to tackle the ransomware problem inflicting lots of pain and disruption around the world.
“This month, the United States will bring together 30 countries to accelerate our cooperation in combatting cybercrime.”
So far, so good.
“Other topics to be discussed will include 5G technology, supply chain attacks, quantum computing, and artificial intelligence.”
It sounds like a packed agenda, so I doubt the cyber attackers will be running for the hills just yet.
2: 2 billion
2 billion Google Chrome users have been advised to update to the latest version of the Chrome browser, after “Google reveals that Chrome’s 12th and 13th ‘zero day’ exploits of the year have been found [..] and they affect Linux, macOS and Windows users. Zero-day hacks are critical because it means they are known to hackers before Google could release a fix.”
Google has not released details of exactly what these vulnerabilities enable an attacker to do, so it’s hard to say what risk “normal” users are exposed to.
>>>>> ONE ACTION <<<<<
1: Check your updates
The Google Chrome alert is a useful reminder that keeping up with operating system up-to-dates is not the only thing to monitor. Applications like your internet browser are just as important. And don’t get me started on PDF readers and Microsoft Office.
Regularly check for updates, install them, and restart the application afterwards (just to be sure, to be sure!).